With the May 25th deadline for GDPR compliance now long gone, is your organization currently in compliance?
If your answer is “no,” take heart: You are not alone. Most CIOs report that, when this sweeping new privacy-and-security law takes effect, their enterprise will not meet its mandates. Many say they are confused about exactly what they must do to avoid the heavy penalties—and loss of reputation—they may face as a result.
Granted, a regulation with 99 directives can be intimidating. But non-compliance with the GDPR is not an option, not for those wanting to do business with people and companies in the EU. The penalty, if you do not comply, may be steep: up to 4 percent of annual global revenue or 20 million euros, whichever is greater. The impacts on your brand could be even greater.
CIOs and managers would do well to plunge in now, if you haven’t already, and begin to crack the GDPR compliance code. That way, even if your enterprise falls under scrutiny, you will be able to show a good-faith effort—crucial for mitigating penalties and protecting your organization’s good name.
Laying the foundation: Step one
A good first step toward GDPR compliance is understanding what the GDPR is and does, and how it differs from its predecessor, the Data Protection Directive 95/46/EC (the 1995 Data Directive).
As its name implies, protecting privacy is the impetus behind the GDPR. Historically, the EU has already required organizations within the EU to secure citizens’ personal data. The GDPR codifies those expectations and expands them in a law that applies not only to EU-based enterprises, but to all organizations worldwide that collect, process, store, or share EU resident citizens’ information.
The GDPR establishes specific rights for individuals, requiring that that:
- Citizens actively consent to each proposed use of their information,
- Certain “special categories” of data be handled in specified ways, and
- Organizations delete or return, upon the owner’s request, the data they have collected.
And no longer is the concern only with EU-based organizations. Because the GDPR is a citizens’-rights law, its mandates affect every enterprise around the world doing business with EU citizens who live in any of the EU’s 28 member states.
Essentially, if your operation has an online presence and your website, products, or services are accessible to people in Europe—if they might join your mailing list or give you their credit card information—you will need to obey this law.
To reach compliance, you almost certainly will need to scrutinize and enhance your organization’s policies and procedures from beginning to end, from the drafting stage all the way through editing, approving, updating, distributing, implementing, training, documenting, updating, maintaining, and auditing.
Having the proper policies and procedures in place is key to GDPR compliance. Why? Because policies and procedures are the backbone of your organization, comprising set of shared standards designed to strengthen and support your organization’s success.
Do you even have a written policy for handling, tracking, storing and sharing the data you collect? Do you have clear steps defined in the process, including how to tag data so you can easily retrieve it no matter where it goes?
Once you’ve got the proper policies in place, you’ll need to determine which of them your enterprise is in compliance with and where it falls short, and what you must do to reach compliance. This stage, policy management, is too often overlooked or given short shrift—which could result in falling out of GDPR compliance after you have worked so hard to reach that goal.
Recommendations for successful policy management include:
Build a policy management system.
- Take a risk-based approach to building policies and procedures.
- Automate as much as possible.
- Maintain a consistent format across all policies and procedures.
- Maintain a system of record for reporting and auditing.
- Restrict changes to policies and procedures to applicable staff.
- Link all documents to GDPR principles.
At the end, you should have a policy inventory with detailed information about each policy and which GDPR controls it addresses, and how. You must also make sure to update your policies whenever the GDPR changes or other new industry requirements come along, and make sure employees have access to the latest versions—including translations for international audiences.
One step at a time
Once you have the proper policy management system in place and your policy inventory complete,you can take the next practical steps toward GDPR compliance. Fortunately, many of these can be handled with ease if you have the right technologies at your fingertips. These steps include:
- Conduct a risk assessment to identify where your policy, procedures and risks may be across the enterprise.
- Set a budget for policy management software, storage, GRC, staff and other resources.
- Harmonize and map GDPR controls based on standard frameworks and existing compliance controls.
- Automate policy management to save time and reduce costs.
- Track attestations consistently, and keep records in one place for ready retrieval in the event of legal action.
- Consider how you can use policy management tools to meet third party and auditor needs.
- Make sure the processes and program you build will be auditable, and will stand over time.
The GDPR is here to stay, and pretty much every enterprise doing business online—and some that don’t—will need to comply with its mandates. The bad news is, it’s a big and complex law, and it’s taking effect very soon. The good news, however, is that there is an app for that, offering a simple, worry-free path to GDPR compliance.
The Zen of GDPR compliance
Reciprocity’s governance, risk, and compliance software, ZenGRC, is designed to turn a confusing, even overwhelming set of tasks—GDPR compliance, for instance—into a streamlined, one-step-at-a-time process.
ZenGRC’s System of Record Dashboard tracks your progress as you build your GDPR policies and procedures. Fully deployed in just six to eight weeks, it provides easy mapping of your organizational policies and procedures to show how they correspond to risk, controls, and requirements. It lists which objectives your enterprise complies with and which still need work, and tells you what you need to do to check each item off your list.
Better yet, ZenGRC will automate the workflows needed for each task, saving you time and money.
It provides role-based information access to help you better manage policies, including updates and keeping track of various versions of each, and notifies you when changes come along requiring updates. Should your business fall out of compliance, you will know.
With ZenGRC, you will also know whether your employees fully understand the GDPR and your company’s related policies. This powerful software surveys workers to measure their comprehension, and helps them improve where needed.
ZenGRC also tracks your efforts to comply with the GDPR. Its self-auditing feature gives you full confidence that you’re in compliance, and provides all the information needed for quick, accurate, and defensible external audits, where needed.
With the deadline looming for GDPR compliance, you may feel tempted to bury your head in the sand and hope that your enterprise won’t be scrutinized. The impulse is understandable, given the regulation’s complexity.
But compliance doesn’t have to be so difficult. Help is at hand, and simplification right at your fingertips. Contact Reciprocity today to find out how our ZenGRC software can ease your GDPR compliance worries–freeing your mind, and your business, to focus on what matters most: your customers.